{"id":20411,"date":"2026-05-26T08:54:33","date_gmt":"2026-05-26T08:54:33","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=20411"},"modified":"2026-05-26T08:54:33","modified_gmt":"2026-05-26T08:54:33","slug":"cpanel-whm-authentication-bypass","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2026\/05\/26\/cpanel-whm-authentication-bypass\/","title":{"rendered":"cPanel &amp; WHM Authentication Bypass"},"content":{"rendered":"<table class=\"MsoNormalTable\">\n<colgroup>\n<col \/>\n<col \/>\n <\/colgroup>\n<tbody>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">\n<p>\n     What is the Vulnerability?\n    <\/p>\n<\/td>\n<td class=\"ts-desc\" colspan=\"1\" rowspan=\"1\">\n<p>\n     CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel &amp; WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access.<\/p>\n<p>     Successful exploitation may allow remote unauthenticated attackers to obtain full administrative control of vulnerable hosting environments, potentially leading to website compromise, credential theft, web shell deployment, malicious configuration changes, and persistent access.<\/p>\n<p>     CISA added CVE-2026-41940 to the Known Exploited Vulnerabilities (KEV) Catalog on April 30, 2026 due to evidence of active exploitation in the wild, with public proof-of-concept exploit code already available.\n    <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">\n<p>\n     What is the recommended Mitigation?\n    <\/p>\n<\/td>\n<td colspan=\"1\" rowspan=\"1\">\n<p>\n     \u2022 Affected versions include cPanel &amp; WHM releases prior to:<\/p>\n<p>     11.110.0.97<br \/>\n     <br \/>\n     11.118.0.63<br \/>\n     <br \/>\n     11.126.0.54<br \/>\n     <br \/>\n     11.132.0.29<br \/>\n     <br \/>\n     11.134.0.20<br \/>\n     <br \/>\n     11.136.0.5<\/p>\n<p>     Organizations should immediately:<br \/>\n     <br \/>\n     \u2022 Upgrade to vendor-fixed releases<br \/>\n     <br \/>\n     \u2022 Restrict exposure of WHM administrative interfaces<br \/>\n     <br \/>\n     \u2022 Review session directories and authentication logs<br \/>\n     <br \/>\n     \u2022 Rotate administrative credentials<br \/>\n     <br \/>\n     \u2022 Hunt for suspicious session creation activity\n    <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">\n<p>\n     What FortiGuard Coverage is available?\n    <\/p>\n<\/td>\n<td colspan=\"1\" rowspan=\"1\">\n<p>\n     \u2022 FortiGuard Intrusion Prevention System (IPS) Service: FortiGuard IPS Service provides coverage to detect and block exploitation attempts targeting CVE-2026-41940, including malicious authentication bypass attempts against vulnerable cPanel &amp; WHM deployments.<\/p>\n<p>     \u2022 FortiGuard Antivirus &amp; Behavior Detection: Protects against malicious payloads and post-exploitation activity associated with compromised cPanel environments, including detection of suspicious administrative session creation, web shell deployment, unauthorized privilege escalation, and abnormal process execution originating from exploited hosting infrastructure.<\/p>\n<p>     \u2022 FortiGuard Web Application Firewall (WAF): FortiGuard WAF provides protection against authentication bypass attempts, malicious HTTP requests, CRLF injection abuse, and suspicious session manipulation targeting vulnerable cPanel &amp; WHM services.<\/p>\n<p>     \u2022 FortiGuard Web Filtering: Blocks access to known malicious domains, attacker-controlled infrastructure, and command-and-control servers associated with exploitation campaigns targeting exposed cPanel administrative interfaces.<\/p>\n<p>     \u2022 FortiGuard Incident Response: Organizations that suspect compromise or unauthorized administrative access involving CVE-2026-41940 should engage FortiGuard Incident Response for rapid investigation, persistence analysis, credential exposure assessment, containment, and remediation.<\/p>\n<p>     \u2022 FortiGuard Labs Threat Intelligence: FortiGuard Labs continues to monitor active exploitation activity, emerging indicators of compromise, attacker infrastructure, and evolving tactics associated with CVE-2026-41940 to provide timely protections and actionable intelligence updates.\n    <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/fortiguard.fortinet.com\/threat-signal-report\/6447\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a>\u00a0<\/p>","protected":false},"excerpt":{"rendered":"<p>What is the Vulnerability? CVE-2026-41940 is a critical authentication bypass vulnerability affecting WebPros cPanel &amp; WHM, DNSOnly, and WP Squared installations. The vulnerability stems from improper handling of CRLF injection during the login and session-loading process, enabling attackers to forge authenticated sessions and gain unauthorized administrative access. Successful exploitation may allow remote unauthenticated attackers to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20411","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/20411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/comments?post=20411"}],"version-history":[{"count":1,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/20411\/revisions"}],"predecessor-version":[{"id":20416,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/20411\/revisions\/20416"}],"wp:attachment":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/media?parent=20411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/categories?post=20411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/tags?post=20411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}